Severity: SIGNIFICANT. BaFin notification required. Draft report ready for compliance officer review.
The 76-minute auth-gateway outage on 2026-05-18 affected payments for ~18,500 customers and breached the SIGNIFICANT severity threshold under DORA Art. 18. Initial notification to BaFin is due within 24 hours of detection (deadline 2026-05-19 14:22 CET — already met). Intermediate report due 2026-05-21 14:22 CET (in 5 hours). Final report due 2026-06-17.
Output
Severity classification
SIGNIFICANT (DORA Art. 18). The 76-minute outage affected ~18,500 customers — above the 10,000-customer threshold — and the duration exceeded the 60-minute threshold for payments functions. Financial impact estimated at €280k, below the MAJOR threshold (€500k).
Timeline
Detected 2026-05-18 14:22 CET (auth-gateway HTTP 503 spike). Containment by rollback to v3.2.0 at 15:09 CET. Full recovery 15:38 CET. Time to recovery: 76 min. Time to detection: < 60 seconds (alert fired from production monitoring).
Regulator notification windows
Initial: 2026-05-19 14:22 CET — already submitted. Intermediate: 2026-05-21 14:22 CET — due in 5 hours. Final: 2026-06-17 14:22 CET.
Root cause
Memory leak in v3.2.1 of the auth-gateway, introduced in the 2026-05-15 release. Connection-pool entries accumulated without release under sustained traffic. Rollback to v3.2.0 fully resolved the issue.
Next actions for compliance officer
1) Attach incident logs and post-mortem to the report package. 2) Obtain sign-off from CISO and CRO. 3) Submit intermediate report via the BaFin MVP-Portal before 2026-05-21 14:22 CET. 4) Calendar reminder set for final-report deadline 2026-06-17.
Reasoning timeline
Task: Classify severity using DORA Art. 18 thresholds and the bank's internal materiality matrix.
SIGNIFICANT — 18,500 clients affected exceeds the 10,000-customer threshold; duration 76 min exceeds 60-min threshold for payments; financial impact under €500k (below MAJOR threshold).
“An incident shall be considered major if it has a high impact on the network and information systems supporting critical or important functions.”
Task: Extract and order the incident timeline; compute TTR and time-to-detection.
Detected 14:22, Contained 15:09 (47 min), Resolved 15:38 (76 min TTR). No prior incidents on this component in 90 days.
Task: Compute the three DORA reporting deadlines.
Initial (24h after detection): 2026-05-19 14:22 CET — already met. Intermediate (72h): 2026-05-21 14:22 CET — 5h remaining. Final (30 days): 2026-06-17 14:22 CET.
“Financial entities shall submit the following reports to the competent authority: an initial notification, an intermediate report, and a final report.”
Task: Draft each report section in regulator vocabulary.
5 sections drafted: Incident description, Root cause hypothesis, Customer impact, Containment actions, Recovery actions. ~1,800 words total.
Task: Build the human checklist for compliance officer sign-off.
6 items: attach incident logs, attach post-mortem, sign-off from CISO and CRO, submit to BaFin via MVP-Portal, calendar reminder for final report due 2026-06-17.
Task: Assemble the final document and verdict.
Draft is internally consistent, all DORA-mandated sections present, BaFin notification window honoured.